Danger (still) lurks in the Internet of Things (IoT)

CES 2016 has come and gone, and even though I didn’t attend (it’s been 15 years since I have), all of the media, both “mainstream” and “tech”, has gushed over all of the new appliances and devices that are now in the category of what we would call the Internet of Things.  Items like home security,  home lighting, and refrigerators, to name a few.

There are many advantages to having connected appliances and devices, but, as I’ve written before (here, and here), there are threats as well.  Threats that can and will be exploited if unsuspecting users don’t secure them.  Last week (1/13/2016), Dark Reading interviewed the CEO of Trend Micro, Eva Chen, and she described some very real concerns, including two “layers” of security that they offer:

The first layer of offering we do is a security API that will provide [a way] to easily do a virtual patch, to prevent a remote attack, for example . . . the third layer is cloud: IoT cannot do anything without the cloud.  Most data is sent to the cloud and you will need to have proper protection and make sure the cloud is always available.

In both situations, users are vulnerable, mostly due to their own apathy.  Users often either don’t know how to patch their own machines (and in this case, devices) or have glanced over how to do it and just don’t bother, or if automatic patching is available, they don’t enable it.  When it comes to cloud computing, most users just assume that if their data is “up there”, the provider will take care of security.

If you really want your refrigerator to automatically create a list of items for you to purchase (e.g., you’re running low on milk) and send that list to your smartphone (via Evernote or some other app), you’re going to have to be responsible for your own security.  If available on your IoT device, enable automatic download of patches and updating of your system.  Don’t configure your IoT device with the default password that it comes with, change it to a secure password (and if you don’t know if yours is secure enough, test it in The Password Meter).  Read the users manual to find out how to enable your device’s security yourself.

You want to see, via wireless home security cameras enabled through the cloud, what’s going on in your house?  Fine.  Just practice the necessary security practices to really keep your home and its data secure.

New Year, Same Scams

The Tax Season is upon us, and once again the “IRS Scam” will be rearing its ugly head.  As I teach my students, as I’ve discussed in public lectures and presentations, this is one of the most insidious scams out there, and one that’s easily avoided.  Except that most people, especially seniors who were raised to trust and respect authority, continue to fall prey to it.  Face it, if you’re confronted with a phone caller who tells you that you might be served a warrant, your first instinct would be to be scared.  Your second might be to comply.  Except that you shouldn’t.

That’s because the IRS will NEVER initially call you regarding ANY issue.  The keyword here is initially.  If the IRS wants to contact you, they will initially send you a letter.  That’s right, via “snail mail,” i.e., the US Postal Service.  Once you have that letter, you might need to call THEM, and then you can establish a phone dialogue, but their initial contact with you will be via mail.  If you receive a phone call that you are not expecting from someone claiming to be from the IRS, just hang up (or, if you are being more adventurous, dare them to serve you with the warrant, and then hang up!).

It’s not just the IRS scam.  The Microsoft Tech Support scam is still alive and well, especially now that many have downloaded and installed Windows 10.   When you get a call from someone saying that they’re from “Microsoft Tech Support,” the first thing you must ask yourself is, “am I expecting this call?”  The second thing you must ask yourself is “how do they even know what operating system I’m running”?  But, in the end, you need to know that the REAL Microsoft Tech Support will never call you out of the blue. They will call in response to a request from you, but never without such a request.  If you get a call like this, you could play around with the caller a bit and ask him or her if they know what OS you’re running, what service pack or version you’re running (even if you don’t know what version you’re running), but it’s best just to hang up.  And never, never, never, give any identifying information (userids, passwords), let alone a credit card number.  Just hang up.

Have you been hacked? I (potentially) have

The other day the New York Times, in their online site, had a little interactive quiz – have you been hacked?  Based on the most recent well-known hacks, they asked some simple questions, such as “have you purchased anything from any of these stores (sic), or do have a job with the US government, or have you worked for the US government in the past two years?

I was able to say no to the US government question, but I failed the rest of the test: I have a Twitter account; I’ve shopped at Home Depot and Target in the past two years; and probably most importantly, my health insurance is with Blue Cross Blue Shield of Georgia, which is owned by . . . Anthem.

So what’s the tally?

  • My  address, twice
  • My birthday, once (presumably from the Anthem hack)
  • My credit or debit cards, twice
  • My e-mail (potentially up to three different e-mail accounts), four times
  • My employment history, once.  This one is somewhat murky, as Anthem would have access to how long I’ve been a professor at Armstrong State, but I don’t think a hacker could get the details of my employment (performance reviews, etc) from Anthem
  • My health history, obviously from Anthem, twice
  • My password (encryption), once.  Since I don’t use the same password for each site, this one may not be that scary.
  • And, of course, my Social Security Number, presumably from the Anthem breach, once

So, what does someone do about all of these intrusions? There are several suggestions, the first of which, of course, is to check your credit history.  Check your bank and credit card statements, regularly. Change passwords, which I’m probably a bit overdue on some sites. Use a password manager, which I do.  Secure your wireless access point (router).  Use and update your anti-virus software.  Unfortunately, beyond these suggestions, unfortunately, there isn’t much an individual can do.  Just understand that no one is going to protect you – you have to protect yourself.

BYOD – becoming a thing of the past?

Two years ago, as a summer research project, I investigated BYOD policies: what are the elements of a sound BYOD policy; who has them, who doesn’t; and whether they are effective.  It was a lengthy process, and I presented my findings at a colloquium of my college in October, 2013.  Not only that, that Fall Semester, I had my Cyber Security I (Fundamentals of Information Security) craft an effective BYOD policy as part of their semester group project.

Two years ago, it seemed that BYOD was going to be the future of mobile devices in organizations, and that mobile device management policies (MDM), especially automated MDM policies from 3rd party vendors, were going to be controlling BYOD in the organization. Still, as several students pointed out in class, if companies would just “hand out” mobile devices instead of allowing BYOD, the need for managing personal devices in the workplace would slowly disappear.

According to this article from Computerworld this week, it’s starting to come to that.  In the article, Jack Gold, an analyst at J. Gold Associates, stated that:

“There certainly is a curtailment of BYOD from where everyone thought it would be a couple of years back,” Gold said. “Companies are much more cautious now, knowing that the benefits of BYOD often don’t outweigh the risks.”

For many companies, the presumed cost-savings in letting employees use their own devices just hasn’t outweighed the security and management headaches of BYOD.

Gold cited the rise of the use of cloud-based file-sharing services such as leading to the slow demise of BYOD.  If employees can save their personal docs and photos in the cloud, they don’t need to worry about losing them if the worker leaves the company and has to return the device. As a result, employees are more willing to accept the use of employer-provided devices, knowing that their personal data is elsewhere.

While BYOD has not disappeared from the workplace, it appears that, for many of the security reasons I identified two years ago, it’s in decline.  And for security-conscious organizations who want to segregate their employees’ personal lives from their work lives, that’s a good thing.

One thing you should do if you’re into the Internet of Things (IoT)

A July 7 article in Computerworld detailed The Internet of Things: Your Worst Nightmare.

Author Preston Gralla described the nightmare that would ensue when all of our home media devices, appliances, and even our electric (well, battery powered) toothbrushes are connected to a wireless access point (WAP) router.  Now I haven’t had the problem of having a WAP burn out (ever), but nonetheless, his article discusses what happens when each device has to be authenticated to the new wireless network.  After reading his article, I’m not sure that I want to be involved with IoT, but more and more of our electronics are.  It’s just a matter of time before most of our household devices are connected to the Internet.

So what’s the one thing you should do if your devices are part of IoT? You need to make sure that your WAP is secured with a nearly unbreakable password or passphrase.  Way too many users bring wireless routers into their home, connect their devices to it, and never enable the WPA2 security.  And even if they do, they usually just keep the default password (here I’m presuming it’s a simple password) or create their own simple password (“password”, “12345678”, etc.).  Full disclosure here – my ISP-provided WAP came with a default password, and I kept it.  But this password has SIXTEEN characters, randomly generated, and includes alphas and numbers.  So given that I determined it was unbreakable (well, www.thepasswordmeter.com did that for me), I kept it.  But I certainly would have changed it if it had been something simple, and if yours is, you should change it, too.

You just never know when your refrigerator is going to get hacked and start melting your ice cream!

Firewalls and the difficulty of teaching Information Technology

The hardest thing about teaching IT (and Cyber Security) is keeping up with the speed at which technology changes. When long-held beliefs are only held for 5 to 10 years (or less), it’s hard to determine what should be taught. This was brought to my attention last week in an article from Dark Reading, Why the firewall is becoming irrelevant.  The author, Asaf Cidon, makes two good points regarding the possible irrelevance of firewalls:

  1. Data resides on company servers and unsecured employee devices. The BYOD revolution, and the use of cloud-based software such as Dropbox to store data, has made it easy for employees to do work from the office by syncing company data to their mobile devices.  The problem, of course, is that a firewall can’t protect data once it’s left the secured company server.
  2. Consequently, as he points out, that data ends up everywhere – with employees, suppliers, partners, clients, etc., and it’s likely that none of them are securing your data.  How can a firewall protect that data?

From an academic point-of-view, is that this is rather disturbing.  Our second Cyber Security course at Armstrong is entitled Network Security: Firewalls and VPNs.  Is it reasonable to be teaching our students firewall concepts and practices if they’re “irrelevant?”

I would like to think that’s not the case – companies still place their data on corporate servers that must be protected.  And, in a “point-counterpoint” kind of article, Firewalls sustain foundation of sound security,  author Jody Brazil makes the point that firewalls are still a valuable tool in securing the enterprise.  As he states:

While paradigms including mobility, virtualization and the cloud have created a new set of challenges (along with opportunities) to invoke additional security controls, the resulting distribution and hyper-segmentation of networks has in fact only made effective firewall management more important than ever before.

His defense of firewalls stands on three points:

  1. Firewall dependencies are expanding, not contracting.  95% of 700+ respondents to the 2014 FireMon State of the Firewall Report indicated that the use of effective firewalls are more important to protecting their security management.
  2. Firewalls provide an effective and important means of securing virtualized network environments
  3. “Firewalls are one of the few security technologies with a positive whitelist security model – allowing only necessary network traffic while denying the rest –the best defense against evolving threats.”

I read Dark Reading daily, and when I read the first article, my initial thought was “oh no, we’ve devised and implemented a curriculum that’s already obsolete.” Then I read the second, and felt somewhat vindicated. We still need to teach our students the basic components of an effective, layered defense of systems and networks. What we have to do going forward is recognize that IT is always changing, and that while we continue to teach the basics, we embrace the future, and ensure that our students understand how change is affecting the way we defend our information systems.

Appalling Violations of Basic Principles

Cyber / Information Security can’t be that hard, can it? The guidelines are available, the principles are available, the regulations exist, and if you’re in the government, the NIST docs and FISMA exist, too. I teach my students in our Cyber Security I (Fundamentals of Information Security) course that if you need to secure your business, there’s no better place to start than to use the NIST 800-series docs as a guideline. And yet, as described in the New York Times article on the Chinese hack into the Office of Personnel Management, a lot of the basic principles were violated.  Some of which were:

  • Failure to inventory computers, especially laptops containing sensitive information (or even those that didn’t contain that kind of information)
  • Failure to require secure passwords, and to change those passwords regularly, according to a schedule
  • Failure to install the necessary security & update patches
  • No firewall set up, and no Intrusion Detection and Prevention Systems (IDPSs) set up
  • Failure to encrypt data
  • Failure to monitor the network (again, IDPSs would be one component of doing this)

All of these precautions are not only in the textbook we use for our first Cyber Security course, they’re in the NIST docs that the government requires its personnel to use as guidelines for managing information security.  It’s just astounding that the very principles set forth by the federal government for their own agencies to use, very valid principles, were not followed by a governmental agency.

Perhaps the students we graduate from our program at Armstrong will go into government service and help straighten them out.

It’s impossible to stop the hackers, or is it?

Knowing that I’m a professor of IT who teaches Cyber Security, one of the questions I am repeatedly asked (usually, it’s more of a statement than a question) is: “it’s just impossible to stop ‘them’ (substitute criminals, China, N Korea, etc. for “them”) from hacking.” Those who ask this (or perhaps, state it to me) just throw up their arms as if it’s a foregone conclusion.  But I posit that it’s NOT.  To quote the cartoon character Pogo (paraphrased from US Navy Commodore Oliver Hazard Perry in the War of 1812), “we have met the enemy, and he is us.”  That’s right, you just cannot remove people from the system.  And consequently, you just cannot remove the lunk-headed, misguided, or just plain ignorant (accidental) things that people do from a computer system.  When people click on links in spear-phishing e-mails, they’re compromising their entire network, because that link may drop malware onto their networked desktop.

In the opinion section of today’s CNN, in the article “Why the Cyberattacks Keep Coming,” Associate Professor Arun Vishwanath of the State University of New York at Buffalo makes that very claim – that we are the insiders who unintentionally, and accidentally, hand over the keys of the network to the bad guys.  He gives two good reasons why insiders (employees) accidentally give over the keys to the kingdom to hackers.  The second is something that I teach my students here at ASU over and over again, and I’ve made mention of this in several presentations and TV interviews:

The second problem stems from people’s cyber habits, where many online actions such as checking emails and texting have become so routine that people are often unaware of when they perform these behaviors. As a result, many people quickly open emails or mindlessly click on links and attachments with nary a thought of its consequences. Smartphones, which the majority of us now use to connect to the Internet, have further exacerbated the problem by making it possible for people to check email frequently while simultaneously being engaged in a number of other activities. Smartphone apps and screen sizes also restrict how much information is presented, which can make it difficult to check the veracity of an email even if one is so inclined.

I often teach that users need to “mouse over”  a link in an e-mail to see where it’s actually going before clicking on it.  Once you see that the e-mail came from some source other than where you thought it was coming from, you’ll know enough not to click on that link, and to delete the e-mail. He makes that point – that we need to train users how to spot a fraudulent e-mail.  I use the Sonicwall e-mail test in my classes (and presentations) to show people how to spot one.

We’ve all just become so used to technology that we expect anti-virus software, firewalls, etc., to do the job for us, when, in fact, we need to become more tech-savvy and do the job for ourselves.  Since so many attacks are caused by hackers looking for information that we have provided them, we all need to be trained to reject their advances and ensure that we don’t make their job easier by falling prey to their lures.

I’ll have a little hack with that latte

It’s become so easy to use our phones to pay for goods, especially on the go.  While many of us use our debit/credit cards, loaded into an app, to pay for an item from our phone, the proliferation of third-party apps that allow us to do this has made it even easier. Unfortunately, many of us don’t realize that there’s a double-edged sword to using those third-party apps . . . they can be hacked.

The latest victim in the never-ending fight to keep our data secure is the Starbucks app, which allows us to pay from our smartphone, whether it’s an Android or iPhone device.  As Bob Sullivan’s article (he has his own “Red Tape Chronicles” site) on NBCNews.com describes, hackers have found a way into the Starbucks app through the auto-reload feature of the app (and its associated gift card) to drain the Starbucks account, automatically reload the account against the registered gift card, and then drain that as well.

But what’s more insidious about this hack is that the auto-reload feature of the app, associated with the Starbucks card, is auto-reloaded from a linked debit or credit card.  So the perpetrators are stealing from the debit or credit card you used to auto-reload your Starbucks card (app). It’s so convenient to auto-reload from that stored card, you just don’t think about it.

Starbucks likes the app because it reduces credit-debit card interchange transaction fees and it improves customer loyalty.  And admittedly, although this hack has occurred, it’s not widespread.  In addition, Starbucks states that

“We take the obligation to protect customers’ information seriously and have safeguards in place to constantly monitor for fraudulent activity, working closely with financial institutions like all major retailers,” said spokeswoman Maggie Jantzen. “Our customers’ security is incredibly important to us and we take all these concerns seriously. … Customers are not responsible for charges or transfers they didn’t make. If a customer registers their Starbucks Card, their account balance is protected by Starbucks.”

Still, how can you protect yourself against this hack?  There are several things you can do:

  • Use good old cash to buy your coffee.
  • Use your credit card (although, as pointed out above, Starbucks doesn’t prefer that you use this method)
  • Use your Starbucks card/app, but limit the amount of money you have in it at any given time, AND, most importantly, do not implement the auto-reload feature AND do not tie it to any given credit or debit card.  In other words, DON’T SAVE YOUR CC/DC IN THE STARBUCKS APP.  You want to reload some $$ into it?  Fine, do it with a small amount of money (maybe $5 or $10) and DON’T save that CC/DC.  It may be annoying, but just manually enter it each time.
  • Or, better yet, brew it at home, and take it with you, or brew it in your office (if it’s allowed)

So does life imitate art, or is it vice-versa?

A few weeks ago, I guess at the beginning of March, CBS debuted its much-hyped fourth venture into the Crime Scene Investigator world – CSI Cyber.  It didn’t hurt that the lead FBI agent, Patricia Arquette, had just won the Academy Award for Best Supporting Actress, a point not lost on CBS, who made no bones about that in their advertisements of the show once she had won it.  Considering that I enjoyed her performance in NBC’s Medium, and that I teach Cyber Security, I figured I’d give it a try.

Now I’m no media critic, but to me, the characters were not only stock characters from central casting, they just didn’t ring true.  The technical constructs also did not ring true – I don’t know of any code editor that will display malicious code in red.  But the one thing that seemed incomprehensible, even in this day of the Internet of Things (IoT), was that the central premise of the premiere episode was that someone was hacking into bedroom baby-cams in order to use them to kidnap babies.  The “unsubs” as they are known, were hacking in, making it seem like the children were still in their cribs, breaking into homes, and taking the children.  The whole thing sounded preposterous, until . . . wireless baby cam hacked – from Computerworld

It didn’t happen just once an unnamed mom told KTTC. “We were sleeping in bed, and basically heard some music coming from the nursery, but then when we went into the room the music turned off.” At one point, the family faced the camera “toward the wall, and then a few hours later we accessed the Foscam, and it wasn’t facing the wall it was facing the closet.”

“We were able to track down the IP address through the log files within the Foscam software and found out that it was coming from Amsterdam,” the mom said. “That IP address had a web link attached to it.” After following the link, she found, “at least fifteen different countries listed and it’s not just nurseries — it’s people’s living rooms, their bedrooms, their kitchens. Every place that people think is sacred and private in their home is being accessed.”

After searching through “thousands and thousands” of pictures coming from IP cameras, the family saw their nursery. “You can literally just sort by whatever country suits your fancy, and whatever room suits your fancy,” the mom said. “It’s pretty sick.”

So now we have to worry about baby-cams REALLY being taken control of by wireless intruders.  What’s the recommendation to mitigate this bizarre threat?  Like any other device, it has firmware.  And that firmware needs to be updated, because just like any other firmware, security patches are included in it.  So if you have a Foscam baby-cam, you need to make sure that its firmware is current.

But that’s not all. Even if your WiFi router/access point is password-protected (and hopefully, with something more secure than the default password or just “password” or “123456”), the Foscam baby-cam can be password-protected, too.  And it needs to be.  And it needs to be with some password that’s more secure, again, than just a default, or “password”.  Now, it’s true that the current version of the Foscam baby-cam forces the user to change the default password when setting it up, but if you’ve got an older one, older than one year ago, you need to change that password (or perhaps, enable one if it doesn’t even have one), NOW.